Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium, and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and...

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state. Based on all the clues available, Costin pinpoints three main...

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB). In this episode, Moussouris discusses Luta...

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus. In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state...

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group...

Episode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International. In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment. Links: Seth Spergel bio — Seth has more than 20 years of...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. In this episode, Cary expands...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB. In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things. Links: Sergey Bratus Bio

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code. Links: DARPA AI Cyber Challenge Aims to Secure...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups. Links: Projects - Peculiar VenturesRyan Hurst on LinkedInBinarly - AI-powered firmware securitySandboxAQ

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs. Links: Michael Hanley on LinkedInGitHub SecurityGitHub Copilot AI pair programmerBig Tech...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project. Links: Jason Shockey on LinkedInMy CyberpathJason Shockey joins Cenlar FSBNIST Cybersecurity Framework

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Faraday chief executive Federico 'Fede' Kirschbaum joins the show to talk about building a startup in the vulnerability management space, the intricacies of the Argentinian hacking culture, stories of exploit writers and mercenary hackers, and the overwhelming U.S.-centric view of the cybersecurity industry. Links: Faraday at Black Hat 2023Fede on LinkedInFederico Kirschbaum on TwitterEkopartyPadding Oracles...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Product security executive Kymberlee Price joins the show to gab about life in the trenches at the Microsoft Security Response Center (MSRC), the challenges of maintaining healthy hacker/vendor relationships, the harsh realities of bug-bounty programs, and thoughts on the cybersecurity job market. Links: Kymberlee Price on LinkedInBlueHat Seattle Closing Remarks - YouTubeKeynote: Defenders Assemble - Kymberlee...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins Ryan for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains. Links: OpenSSF Welcomes New General ManagerOpenSSF Alpha-OmegaCSRB report on Log4jBig Tech Object to...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rishi Bhargava and the team of entrepreneurs behind Demisto’s $560 million exit are back at it with a new startup building technology in the customer identity market. The new company, called Descope, raised an abnormally large $53 million seed-stage funding round with ambitious plans to take on rivals big and small in the customer identity and authentication space. On this episode of the podcast, Bhargava...

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Symmetry Systems executive Claude Mandy joins the show to discuss a career in the security trenches, life as a CISO during the WannaCry crisis, and first principles around data security. We dig into the emerging Data Security Posture Management (DSPM) category and how it extends the Zero Trust philosophy to hybrid cloud data stores. Links: Claude Mandy on LinkedInWhat is Data Security Posture Management (DSPM)?The...